A systemic review by Ontario’s Information and Privacy Commissioner has revealed that personal health information was improperly accessed by multiple staff members at Lakeridge Health facilities over a two-year period. The investigation, which spanned incidents reported between 2023 and 2025, found that various hospital personnel—including a doctor, nurses, a diagnostic imaging technician, a unit clerk, and a clinical extern—accessed patient records without authorization. These actions were found to be in direct breach of the Personal Health Information Protection Act (PHIPA).
The IPC report highlighted several critical failures in the hospital’s response to these breaches. Notably, Lakeridge Health did not immediately revoke electronic health record access for staff members under investigation, which allowed unauthorized “snooping” to continue in some instances. Furthermore, the adjudicator found that the hospital took a “significant amount of time” to notify affected patients and failed to recover a device onto which private information had been inappropriately downloaded by nurses.
Persistent Privacy Breaches and Systemic Concerns
Despite previous investigations and claims by the hospital that it had addressed privacy concerns, the IPC noted that inappropriate access continued to occur. The report documented a steady stream of breaches:
-
2023: Eight snooping breaches reported.
-
2024: Eight snooping breaches reported.
-
2025: Five breaches reported between January 1 and August 18.
The IPC adjudicator concluded that Lakeridge Health did not take reasonable steps to protect personal health information as required by law, citing systemic issues with the hospital’s breach investigation procedures.
Hospital Response and Mandated Changes
In response to the findings, Lakeridge Health issued a statement asserting that protecting patient privacy remains a “top priority” and that they are thoroughly reviewing the IPC’s decision. The organization noted that it has already made “significant improvements” to its policies and is the first healthcare provider in Canada to earn specific international certifications for information security and privacy management.
However, the IPC has ordered the hospital to implement several mandatory changes to its operations:
-
Access Removal: The hospital must now decide on the interim removal of electronic record access for suspected staff at the very beginning of an investigation.
-
Investigation Timelines: Lakeridge must establish clear target timelines for all unauthorized access investigations.
-
Patient Notification: The hospital is required to notify affected individuals at the “first reasonable opportunity,” regardless of whether an investigation or disciplinary action is complete.
-
Policy Amendments: Lakeridge must amend its formal privacy-related policies to reflect these new safety considerations.
